Criticaleditor.sh - issues after upgrading to 4.3.26.
Hi,
I've looked through the mailing list after this issue and did not find the following issue in the mailing list. So I deployed 4.3.26 on a centos 6.7. migrated my config files over to the new version from prior version (4.3.17).
Everything is working except the criticaleditor.sh link under administrator, which gives me the following errors in the logs (masked my ips):
[error] [client Y.Y.Y.Y] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://X.X.X.X/xymon/xymon.html
The features that are currently using the same xymonpasswd file do work properly: enadis.sh acknowledge.sh
Has someone else expierenced this ? or might know what could be causing these issues for the criticaleditor.sh
These are the permission for my critical.cfg: -rw-rw-r-- 1 xymon apache critical.cfg
And this is my current config for apache for sec-cgi: ScriptAlias /xymon-seccgi/ "/usr/local/xymon/cgi-secure/" <Directory "/usr/local/xymon/cgi-secure"> AllowOverride None Options ExecCGI Includes Order deny,allow Allow from all AuthUserFile /usr/local/xymon/server/etc/xymonpasswd AuthGroupFile /usr/local/xymon/server/etc/xymongroups AuthType Basic AuthName "Xymon Administration" Require valid-user </Directory>
Best regards Gudmundur Freyr
Hi,
On Sun, Feb 28, 2016 at 08:24:33PM +0000, Guðmundur Freyr Hafsteinsson wrote:
Everything is working except the criticaleditor.sh link under administrator, which gives me the following errors in the logs (masked my ips):
[error] [client Y.Y.Y.Y] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://X.X.X.X/xymon/xymon.html
The features that are currently using the same xymonpasswd file do work properly: enadis.sh acknowledge.sh
I can add ackinfo.sh to the list of misbehaving CGI scripts:
When I view e.g. https://xymon.<domain>/xymon-cgi/svcstatus.sh?HOST=<somehost>&SERVICE=<someservice>&NKPRIO=1&NKTTGROUP=&NKTTEXTRA= and fill out the acknowledge form on top, it does a POST request to https://xymon.<domain>/xymon-seccgi/ackinfo.sh, but since recently this returns a "404 Not Found", interestingly with the text "The requested URL /xymon-seccgi/criticalview.sh was not found on this server." (i.e. criticalview.sh instead of ackinfo.sh).
In the apache error log, this causes lines like this one:
[Thu Mar 03 14:16:16.673425 2016] [cgid:error] [pid 2311:tid 140260545623808] [client <ip>:52929] AH01264: script not found or unable to stat: /usr/lib/xymon/cgi-secure/criticalview.sh, referer: https://xymon.<domain>/xymon-cgi/svcstatus.sh?HOST=<somehost>&SERVICE=<someservice>&NKPRIO=1&NKTTGROUP=&NKTTEXTRA=
/usr/lib/xymon/cgi-secure/criticalview.sh indeed does not exists, but /usr/lib/xymon/cgi-secure/ackinfo.sh does exist.
(Regarding the paths: I'm using the official Debian packages as this is my server to test them.)
Kind regards, Axel Beckert-- Axel Beckert <beckert at phys.ethz.ch> support: +41 44 633 26 68 IT Services Group, HPT H 6 voice: +41 44 633 41 89 Departement of Physics, ETH Zurich CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
With different paths (e.g. /export/home/xymon/cgi-secure/...) on Solaris 11 (SPARC), I'm seeing the criticaleditor.sh issue too; nothing of consequence differs from the existing and the newly supplied xymon-apache.conf, so that's not it.
I'm all green/clear right now, so I don't have anything to acknowledge and try that, I guess. :-)
Aside from an rcsid[] line, I don't see any difference in cgiwrap.c or criticaleditor.c between 4.3.25 and 4.3.26; going back to 4.3.24, there are definitely differences.
Just for the heck of it, I compiled 4.3.24, moved over server/bin/criticaleditor.cgi to save it under a different name, and dropped in the 4.3.24 version of it. The page then came up without the redirect problem! I did _not_ attempt editing anything, just in case the stored data format might have been changed/upgraded. Note: I didn't even replace cgiwrap or the link to it with the old one, just the actual criticaleditor.cgi binary.
So something between 4.3.24 and 4.3.26 broke it - probably something in criticaleditor.c.
On Thu, Mar 3, 2016 at 8:19 AM, Axel Beckert <beckert at phys.ethz.ch> wrote:
Hi,
On Sun, Feb 28, 2016 at 08:24:33PM +0000, Guðmundur Freyr Hafsteinsson wrote:
Everything is working except the criticaleditor.sh link under administrator, which gives me the following errors in the logs (masked my ips):
[error] [client Y.Y.Y.Y] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://X.X.X.X/xymon/xymon.html
The features that are currently using the same xymonpasswd file do work properly: enadis.sh acknowledge.sh
I can add ackinfo.sh to the list of misbehaving CGI scripts:
When I view e.g. https://xymon .<domain>/xymon-cgi/svcstatus.sh?HOST=<somehost>&SERVICE=<someservice>&NKPRIO=1&NKTTGROUP=&NKTTEXTRA= and fill out the acknowledge form on top, it does a POST request to https://xymon.<domain>/xymon-seccgi/ackinfo.sh, but since recently this returns a "404 Not Found", interestingly with the text "The requested URL /xymon-seccgi/criticalview.sh was not found on this server." (i.e. criticalview.sh instead of ackinfo.sh).
In the apache error log, this causes lines like this one:
[Thu Mar 03 14:16:16.673425 2016] [cgid:error] [pid 2311:tid 140260545623808] [client <ip>:52929] AH01264: script not found or unable to stat: /usr/lib/xymon/cgi-secure/criticalview.sh, referer: https://xymon .<domain>/xymon-cgi/svcstatus.sh?HOST=<somehost>&SERVICE=<someservice>&NKPRIO=1&NKTTGROUP=&NKTTEXTRA=
/usr/lib/xymon/cgi-secure/criticalview.sh indeed does not exists, but /usr/lib/xymon/cgi-secure/ackinfo.sh does exist.
(Regarding the paths: I'm using the official Debian packages as this is my server to test them.)
Kind regards, Axel Beckert-- Axel Beckert <beckert at phys.ethz.ch> support: +41 44 633 26 68 IT Services Group, HPT H 6 voice: +41 44 633 41 89 Departement of Physics, ETH Zurich CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Well this was pretty ugly.
Three distinct problems:
- criticaleditor should only be rejecting based on POSTs
- criticalview is a regular CGI, not a secure one
- ackinfo wasn't allowing ack submission directly from svcstatus POSTs
#3 is my fault -- I actually was not aware that the NK feature placed the form in that spot.
The attached patch seems to fix all three of these issues for me. I'd appreciate it if y'all could test.
Regards, -jc
On Thu, March 3, 2016 7:57 am, Richard Hamilton wrote:
With different paths (e.g. /export/home/xymon/cgi-secure/...) on Solaris 11 (SPARC), I'm seeing the criticaleditor.sh issue too; nothing of consequence differs from the existing and the newly supplied xymon-apache.conf, so that's not it.
I'm all green/clear right now, so I don't have anything to acknowledge and try that, I guess. :-)
Aside from an rcsid[] line, I don't see any difference in cgiwrap.c or criticaleditor.c between 4.3.25 and 4.3.26; going back to 4.3.24, there are definitely differences.
Just for the heck of it, I compiled 4.3.24, moved over server/bin/criticaleditor.cgi to save it under a different name, and dropped in the 4.3.24 version of it. The page then came up without the redirect problem! I did _not_ attempt editing anything, just in case the stored data format might have been changed/upgraded. Note: I didn't even replace cgiwrap or the link to it with the old one, just the actual criticaleditor.cgi binary.
So something between 4.3.24 and 4.3.26 broke it - probably something in criticaleditor.c.
On Thu, Mar 3, 2016 at 8:19 AM, Axel Beckert <beckert at phys.ethz.ch> wrote:
Hi,
On Sun, Feb 28, 2016 at 08:24:33PM +0000, Guðmundur Freyr Hafsteinsson wrote:
Everything is working except the criticaleditor.sh link under administrator, which gives me the following errors in the logs (masked my ips):
[error] [client Y.Y.Y.Y] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://X.X.X.X/xymon/xymon.html
The features that are currently using the same xymonpasswd file do work properly: enadis.sh acknowledge.sh
I can add ackinfo.sh to the list of misbehaving CGI scripts:
When I view e.g. https://xymon .<domain>/xymon-cgi/svcstatus.sh?HOST=<somehost>&SERVICE=<someservice>&NKPRIO=1&NKTTGROUP=&NKTTEXTRA= and fill out the acknowledge form on top, it does a POST request to https://xymon.<domain>/xymon-seccgi/ackinfo.sh, but since recently this returns a "404 Not Found", interestingly with the text "The requested URL /xymon-seccgi/criticalview.sh was not found on this server." (i.e. criticalview.sh instead of ackinfo.sh).
In the apache error log, this causes lines like this one:
[Thu Mar 03 14:16:16.673425 2016] [cgid:error] [pid 2311:tid 140260545623808] [client <ip>:52929] AH01264: script not found or unable to stat: /usr/lib/xymon/cgi-secure/criticalview.sh, referer: https://xymon .<domain>/xymon-cgi/svcstatus.sh?HOST=<somehost>&SERVICE=<someservice>&NKPRIO=1&NKTTGROUP=&NKTTEXTRA=
/usr/lib/xymon/cgi-secure/criticalview.sh indeed does not exists, but /usr/lib/xymon/cgi-secure/ackinfo.sh does exist.
(Regarding the paths: I'm using the official Debian packages as this is my server to test them.)
Kind regards, Axel Beckert-- Axel Beckert <beckert at phys.ethz.ch> support: +41 44 633 26 68 IT Services Group, HPT H 6 voice: +41 44 633 41 89 Departement of Physics, ETH Zurich CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
This appears to fix criticaleditor; I do get an error Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, rlhamil at richard-hamilton.name and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
if I try to go past the last record; don't know if that's supposed to happen or not.
The rest, I don't know how to test.
On Thu, Mar 3, 2016 at 3:13 PM, J.C. Cleaver <cleaver at terabithia.org> wrote:
Well this was pretty ugly.
Three distinct problems:
- criticaleditor should only be rejecting based on POSTs
- criticalview is a regular CGI, not a secure one
- ackinfo wasn't allowing ack submission directly from svcstatus POSTs
#3 is my fault -- I actually was not aware that the NK feature placed the form in that spot.
The attached patch seems to fix all three of these issues for me. I'd appreciate it if y'all could test.
Regards, -jc
On Thu, March 3, 2016 7:57 am, Richard Hamilton wrote:
With different paths (e.g. /export/home/xymon/cgi-secure/...) on Solaris 11 (SPARC), I'm seeing the criticaleditor.sh issue too; nothing of consequence differs from the existing and the newly supplied xymon-apache.conf, so that's not it.
I'm all green/clear right now, so I don't have anything to acknowledge and try that, I guess. :-)
Aside from an rcsid[] line, I don't see any difference in cgiwrap.c or criticaleditor.c between 4.3.25 and 4.3.26; going back to 4.3.24, there are definitely differences.
Just for the heck of it, I compiled 4.3.24, moved over server/bin/criticaleditor.cgi to save it under a different name, and dropped in the 4.3.24 version of it. The page then came up without the redirect problem! I did _not_ attempt editing anything, just in case the stored data format might have been changed/upgraded. Note: I didn't even replace cgiwrap or the link to it with the old one, just the actual criticaleditor.cgi binary.
So something between 4.3.24 and 4.3.26 broke it - probably something in criticaleditor.c.
On Thu, Mar 3, 2016 at 8:19 AM, Axel Beckert <beckert at phys.ethz.ch> wrote:
Hi,
On Sun, Feb 28, 2016 at 08:24:33PM +0000, Guðmundur Freyr Hafsteinsson wrote:
Everything is working except the criticaleditor.sh link under administrator, which gives me the following errors in the logs (masked my ips):
[error] [client Y.Y.Y.Y] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://X.X.X.X/xymon/xymon.html
The features that are currently using the same xymonpasswd file do work properly: enadis.sh acknowledge.sh
I can add ackinfo.sh to the list of misbehaving CGI scripts:
When I view e.g. https://xymon
.<domain>/xymon-cgi/svcstatus.sh?HOST=<somehost>&SERVICE=<someservice>&NKPRIO=1&NKTTGROUP=&NKTTEXTRA=
and fill out the acknowledge form on top, it does a POST request to https://xymon.<domain>/xymon-seccgi/ackinfo.sh, but since recently this returns a "404 Not Found", interestingly with the text "The requested URL /xymon-seccgi/criticalview.sh was not found on this server." (i.e. criticalview.sh instead of ackinfo.sh).
In the apache error log, this causes lines like this one:
[Thu Mar 03 14:16:16.673425 2016] [cgid:error] [pid 2311:tid 140260545623808] [client <ip>:52929] AH01264: script not found or unable to stat: /usr/lib/xymon/cgi-secure/criticalview.sh, referer: https://xymon
.<domain>/xymon-cgi/svcstatus.sh?HOST=<somehost>&SERVICE=<someservice>&NKPRIO=1&NKTTGROUP=&NKTTEXTRA=
/usr/lib/xymon/cgi-secure/criticalview.sh indeed does not exists, but /usr/lib/xymon/cgi-secure/ackinfo.sh does exist.
(Regarding the paths: I'm using the official Debian packages as this is my server to test them.)
Kind regards, Axel Beckert-- Axel Beckert <beckert at phys.ethz.ch> support: +41 44 633 26 68 IT Services Group, HPT H 6 voice: +41 44 633 41 89 Departement of Physics, ETH Zurich CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Hi J.C.
On Thu, Mar 03, 2016 at 12:13:51PM -0800, J.C. Cleaver wrote:
Three distinct problems:
- criticaleditor should only be rejecting based on POSTs
- criticalview is a regular CGI, not a secure one
- ackinfo wasn't allowing ack submission directly from svcstatus POSTs
#3 is my fault -- I actually was not aware that the NK feature placed the form in that spot.
The attached patch seems to fix all three of these issues for me. I'd appreciate it if y'all could test.
Fixes my issue: I can ack issues from the svcstatus view of critical hosts again. Thanks!
Shall I expect a 4.3.27 rather soon or shall I fix this in Debian for now with this patch? I tend to the latter.
Kind regards, Axel Beckert-- Axel Beckert <beckert at phys.ethz.ch> support: +41 44 633 26 68 IT Services Group, HPT H 6 voice: +41 44 633 41 89 Departement of Physics, ETH Zurich CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
On Fri, March 4, 2016 6:14 am, Axel Beckert wrote:
Hi J.C.
On Thu, Mar 03, 2016 at 12:13:51PM -0800, J.C. Cleaver wrote:
Three distinct problems:
- criticaleditor should only be rejecting based on POSTs
- criticalview is a regular CGI, not a secure one
- ackinfo wasn't allowing ack submission directly from svcstatus POSTs
#3 is my fault -- I actually was not aware that the NK feature placed the form in that spot.
The attached patch seems to fix all three of these issues for me. I'd appreciate it if y'all could test.
Fixes my issue: I can ack issues from the svcstatus view of critical hosts again. Thanks!
Shall I expect a 4.3.27 rather soon or shall I fix this in Debian for now with this patch? I tend to the latter.
For today, I'd suggest the patch.
I'd like to validate further and catch any other issues that might crop up before 4.3.27 (early next week).
Regards, -jc
participants (4)
-
beckert@phys.ethz.ch
-
cleaver@terabithia.org
-
gudmundur.freyr.hafsteinsson@advania.is
-
rlhamil2@gmail.com